Tag: Tips

Recovering erased files with Camera Salvage Pro can pull back those photos you accidentally wiped, but not the image names. File names are usually stored in a separate index from the files themselves, and so it’s impossible to recover names. But with FileName Extreme, you can use the meta data contained inside an image to get something close to the original file name, or what’s more, possibly even a better name.

Here’s how….

After Camera Salvage Pro (or FileSalvage) recovers the files, open up the recovered picture folder (it can be JPEGs, Canon CR2’s, Nikon NEF’s, Sony’s ARWs, and many other picture formats Camera Salvage Pro supports) and take a look at the names of the files. The files names are in list numbers, making identifying the files a daunting task.

Drag the folder of unnamed files to the right hand side of the FileNameExtreme window.

Click Examine for FileName Extreme to read the file data.

Once FileName Extreme finished analyzing the files, it will move to the next window. On the upper right hand panel, select Type, then scroll down the Rename Type panel to select EXIF MetaData.

You can then select various fields you may want to include in your file names. We recommend selecting Make and Model (of the cameras), DateTimeDigitized, Pixel Height, and Pixel Width.

Once you have them checked, you can arrange the order on how they appear in the new names.

Next select Prefix, click Replace Name, and click Next.

A list of files with the current names will be listed. The Preview name will be updated only when you click on the Preview button.

Once you click on the Preview button, the preview Name will be updated to the ones you selected.

Noticed that some of the files may be duplicates (sometime data recovery products recover the same file more than once).

If you notices there are duplicates, click on Preview Name. It will sort and rearrange the names in ascending fashion. Scroll down and look for Duplicate Name under comments. If you notice any of them (in group of two or more), uncheck all except for one. (for example, 97.jpg, 98.jpg, 99.jpg are duplicates and two of them can be deselected from rename).

Click Rename. You will be prompted one final time whether to rename the files or cancel.

Open the folder and you will see some of the files still bear the original names (they are either duplicates that you deselected from renaming or files that don’t have embedded EXIF metadata.

Back in 2011, when Apple released Mac OS X 10.7 Lion, it boasted over a hundred improvements to enhance the user experience, and one of them was the hiding of the User Library folder. To get around it, simply launch the Terminal (found in the Utilities folder inside your Applications folder) and paste in the following command and press the Enter key:

sudo chflags nohidden ~/Library/

Messing with the Terminal app isn’t an elegant method , but it allows you to access Library folder to remove a preference file, or delete an Application Support folder.

Beginning with Mac OS X 10.8 Mountain Lion forward, Apple has introduced a quick and easy way to access the Library folder.

In the Finder window, hold down the Option key while accessing the Go menu on the top menu bar, and select Library, the Library folder will open, allowing you to access its contents.

The technique will not change the Library folder to permanently visible. Once you close the Library folder, it will no longer show up in the Home folder. To access the Library folder again, you will have to perform the same procedure of selecting option-Go-Library.

If you need to access the Library folder frequently, You can still employed the Terminal method described above to unhide the Library, which will be turned visible until you tell Terminal to hide it with the command

sudo chflags hidden ~/Library/

Under macOS 10.12 Sierra, the Option-Go-Library method no longer works. Instead, you will need to do the following*:

From the Go menu, select the home folder.

Your Home folder will open and with the visible folders displayed.

To reveal the Library folder, Select Show View options and click on the check box for Show Library Folder.

Checking it will allow the Library to stay visible, even after a restart.

If you’re learning to become as a computer forensic investigator or e-discovery analyst, knowing where to look for evidence is crucial. Aside from the obvious Documents folder, Pictures folder, Movies folder, Desktop folder, and Download folder, you will also need to gather information by extracting bits and pieces from other places for analysis.

SubRosaSoft’s distributor in China, CFLabs, has been one of the pioneers on Mac Forensics in China for many years, and has published numerous articles on computer forensics. Of the many entries in CFLabs’ training forum, the following table on where to search for evidence has helped us immensely when we were developing Cache Detective. And with the permission of the author, Sprite Guo, we will be translating many of the useful Mac OS X forensics articles.

Please note the information is relevant to Mac OS X 10.11; we have noticed some locations may have been changed in Mac OS X 10.12.

A few of the applications listed above are extremely popular in China and Greater China Region. Products like Baidu Cloud, QQ, AliWangWang, and Thunder have huge installed bases and are supported by Cache Detective.

Web caches store copies of documents the user has accessed on the internet in order to reduce server access time when visiting that site again. The information contained inside web caches can help an investigator prove a crime was committed, build a timeline of events, and prove intent.

There are a large number of other folders contained within the ~/Users/“USERNAME”/Library/Cache folder that may be of interest for investigators also.

If you are interested in extracting cache files easily, and don’t want to spend the money on an expensive forensics software, consider SubRosaSoft Cache Detective. Cache Detective is a very easy-to-use utility that read the cache of many browser and chat applications and extract the files currently stored in their cache folders. It comes with presets to extract pictures, text, movies, etc… from popular browsers such as Safari, Chrome, FireFox, Opera, Chromium, Chrome Canary, and more.

Cache Detective is optimized to work on the startup volume. For cache data on non-startup volume, Cache Detective allows users to manually locate and extract the cache data.

1 in 5 computers suffer fatal hard drive crashes that can leave your valuable files gone forever even for the best of data recovery software. Using SubRosaSoft Disk Copy to make a backup of your data can insure that if a hard drive crash does happen, you’re prepared. Paying a data recovery company to get your files back usually costs thousands of dollars and takes time plus there is no guarantee they will be able to get all your information back. The fast read and write speeds of modern hard drives makes backing up even large amounts of data fairly quick and it really pays off when disaster happens. Rather than wasting time trying to recover your lost files, simply restore them from your backup and you’re ready to go again.

While SubRosaSoft Disk Copy supports multiple backup modes such as cloning, synchronization, incremental backups, and scheduled backups, it’s limited to Mac drives and will not clone non-Mac partitions such as Windows or Linux. If you want to backup a multi-partition drive or a dual boot (Mac OS X and Windows) device, consider SubRosaSoft CopyCatX instead. CopyCatX is device and file system independent application, which means that the user can clone or create disk images from any normal Mac OS drive, Windows, Linux device, or even TiVO drive.

Everyone has experienced times when they wish they could access their home computer while on the road. Maybe you forgot an important document, want a special music file, or just forgot to shut your computer down. If you have 2 Macs both running iCloud (Mac OS X 10.7 Lion or 10.8 Mountain Lion), you can easily SSH intothe other one using the Terminal in just a few easy steps, giving you remote access from anywhere.

Before we get started, make sure Back To My Mac is enabled on your Macs. To check, goto System Preferences and the iCloud preferences to make sure that the Back To My Mac option is enabled. Next you must make sure that sharing is enabled on the computer you will SSH into. Goto the Sharing system preference and make sure that the boxes for File Sharing and Remote Login are both checked to allow those sharing types.

Now that you have those items setup, it’s time to find your iCloud account number. In the Terminal (Applications > Utilities), type the following:

dns-sd -E

The final 9 digits are your iCloud account number.

Now it’s time to SSH into your Mac through iCloud. Type the following (or copy and paste it) with your iCloud account number inserted into the space given:

You will need to know your computer’s name and your username before you SSH into it. This name can be found by going to the System Preferences Sharing preference on the destination computer. Click on Remote Login. Your Computer name is listed at the top (if it’s multiple words use the address with the dashes). Your username is listed on the line below Remote Login right before the @ symbol.

All this information can be a lot to remember. If you may use this frequently, you may want to add the following to your ~/.ssh/config file:

While Terminal does have built-in support for Back To My Mac, it doesn’t always function correctly so you may not want to rely on it (although it is easier to use when it does work).

Open Terminal, goto the Shell menu and select New Remote Connection…

In the Services list, click Secure Shell (ssh)

Your Back To My Mac computers should begin to populate on the servers list along with any Bonjour servers on your local network. Simply click the desired computer’s name, enter your username and password and click the Connect button.

SSH is a great, secure way to access your Mac remotely and with iCloud and Back To My Mac, you can do so from anywhere with ease.

Since the release of Mac OS X 10.7 Lion, OS X has been only available via download from the Mac App Store. Many users like to be able to boot from an installer device to do a clean installation of the new operating system. You can easily create a bootable Mac OS X 10.8 Mountain Lion installer flash drive using the instructions below.

To create your own bootable USB device using your own flash drive (note that the device must be at least 8GB or larger), follow the instructions below.

6) Make sure the flash drive is properly formatted highlighting the flash drive at the left (make sure to select the device and not the volume shown under it) and clicking the Erase tab across the top right. Then ensure that the Format drop-down menu is set to Mac OS Extended (Journaled) and click the Erase button. Confirm the dialog ensuring that you want to erase the device and all information on it (make sure you backup any existing information on the flash drive before this point).

7) Select the Partition tab on the top right.

Using the drop-down menu for Volume Scheme, choose 1 Partition as the partition scheme.

8) Highlight the partition by clicking on it in the space it is shown below the Volume Scheme drop-down and then click on Options underneath it. Select GUID Partition Table and click OK. This will allow the Mac boot from the drive.

You may now name the device in the Name textbox. Insure that Format is set to Mac OS X Extended (Journaled). When you have finished, click the Apply button to format the USB device. A warning will pop-up asking if you are sure you want to partition the media. Click the Partition button to continue.

9) Click on the newly created volume listed under the USB device on the left. This volume will have the name of the device you set in the previous step. Click the Restore tab at the top right. In the Source area click the Image… button. Select the disk image InstallESD.dmg and click open (you may also drag-and-drop the disk image into the Source area).

In the Destination area, make sure that the USB device’s name is showing. If it isn’t, simply click and drag the volume from the list at the left into the destination area. Click Restore and confirm the dialog informing you the volume will be erased. You will be prompted to enter the admin password for your Mac and the process will begin.

The bootable USB device will be created and a progress bar will show the current status of the operation at the bottom of the screen.

10 ) When the operation is complete, you can verify that the flash drive is now bootable by selecting it and clicking the Info button in the upper left corner of the Disk Utility window. Bootable status will show as Yes.

To boot from the USB device, simply hold down the Option key while your Mac is booting up. A screen will appear asking you which volume you would like to boot the system from. Click on the OS X installer USB drive and the system will boot using the USB stick. You will see faster boot speeds using the USB installer compared to a DVD installer disc.

Apple’s newest operating system, Mac OS X 10.7 Lion, hides a hidden application that allows the user to monitor and diagnose their wi-fi connection. The application, called Wi-Fi Diagnostics, is hidden in the CoreServices folder. To get the application, simply open your hard drive and you will find the System folder. From there follow the path below to find the Wi-Fi Diagnostics application.

/System/Library/CoreServices/Wi-Fi Diagnostics.app

Once launched, the Wi-Fi Diagnostics application gives you 4 options:

Monitor Performance

Monitor Performance displays a graph of network signal strength, noise level, transmit power, and data rate. Information such as Country Code, SSID, Channel, txPower, txRate, Signal, and Noise are logged and displayed in the area at the top of the window with each line representing a single sampling. The graph below shows a running representation of the wi-fi networks signal and noise measured in dBm. Clicking the Continue button brings the user to a screen where they can export the report either to the Finder desktop or send it the report in an email. Clicking the back button will return you to the original menu.

Record Events

This option detects and reports dropped network connections, roaming, and other network events, such as connecting to or disconnecting from a network or network device. Clicking the Continue button brings the user to a screen where they can export the report either to the Finder desktop or send the report in an email. Clicking the back button will return you to the original menu.

Capture Raw Frames

The Capture Raw Frames option captures all network traffic on the Wi-Fi interface.

Several options are available in this mode.

Capture data sent and received on the network

Capture data sent and received on my computer

Capture data from all nearby networks

There is also a checkbox for Disconnect from the network and capture only data from channel and then a drop-down menu to select the channel.

You’ve selected your option(s), simply click the Start Capturing button to begin the raw frame capture and you will be prompted on the following screen to select to either save the report to the Finder desktop or send it in an email.

Turn on Debug Logs

This option provides specific details of every wireless connection. When clicking the Start Logging button, you will be prompted to enter an administrator password. Logging will then begin with any events showing in the log. Clicking the Continue button allows you to export the report to the desktop or an email.

Data loss is a problem for anyone that uses a computer. Knowing the most common causes of data loss can help you to prevent and avoid it in the future. Here are the top 10 most common causes of data loss for most computer users.

There are countless viruses and malware out there and many of them can lead to data loss either through purposely deleting files and drives or through hard drive crashes. This is one of the many reasons that it is important to have virus protection software installed and up to date on your machine to prevent against these type of attacks which can lead to numerous headaches.

3) Physical Damage

Hard drives have platters spinning at thousands of RPMs with the smallest of tolerances. They’re sensitive pieces of machinery and bumps, drops, and other mishandling can lead to physical damage to the drive platters resulting in loss of data or corruption. Insuring that your drives are handled with care and kept at temperatures well within their recommended operating parameters helps to insure drive life and minimize the risk of data loss.

4) Accidental Formatting

Formatting a hard drive will cause a total loss of all information contained on it. This can happen simply because the user selected the incorrect device or volume when attempting to format another device. Most information can be recovered after accidental formatting but the user must act to insure they don’t use the formatted drive and use a data recovery program or call a data recovery specialist right away.

5) Head Crashes

The read write heads on a hard drive are suspended on a thin cushion of air which the spinning platter induces just few millionths of an inch away from each other. At that minuscule distance with the platter spinning at thousands of RPMs, it’s easy to see how even the smallest bump or drop can send the head crashing into the platter and cause data loss. Hard drive repair is done in a special clean room as even a speck of dust between the platter and read write head can cause a big problem. This is why users should never attempt to disassemble and repair their hard drive themselves.

6) Logical Errors

Logical errors are caused by system or file corruption, software problems, and invalid entries in file locations. They can cause corruption of other files on the drive and lead to data loss. Logical errors can be fixed using disk utilities in some cases although it’s recommended to reinstall the operating system and restore files from backup as many times repairing such issues doesn’t prevent future problems.

7) Continued Use After Signs Of Failure

Many users ignore the early signs of drive failure. Clicking or grinding noises, system hangs, and random file deletion are early warning signs that a drive may be failing yet many users choose to ignore them which can lead to data loss. When a drive starts to show these signs, back it up immediately and consider replacing it. Users may also want to run drive integrity checks and verify S.M.A.R.T. status although these do not always catch every sign of possible hardware problems.

8) Power Failure

Power failure is a common cause of data loss. Having the power go out leads to loss of unsaved files and can even lead to file corruption. The best way to prevent this type of problem is through the use of an uninterrupted power supply or UPS. Insuring that you save your files frequently during creation will also help insure you minimize file loss should you lose power.

9) Firmware Corruption

Firmware on a hard drive controls the way it operates to read and write data to the disk. It is software code that tells the drive how to carry out various tasks. Although few think about it, this code is essential to the proper operation of the hard disk. When the firmware becomes damaged, the operating system is unable to recognize or access the hard drive. Firmware corruption is hard to guard against and the best defense is always insuring that you have a proper backup of your important data. Some data recovery services can swap out the hard drives logic board containing the corrupt firmware for a working one although this service is expensive. Drive makers that use non-standard firmware and drive bridges seem to have more frequent occurrences of hard drive firmware corruption than others.

10) Natural Disasters

Acts of god can cause data loss. Lightning strikes, power surges, flood, fire and earthquakes cause physical damage to hard drives and more. Protect your data by having a quality surge protector connected to your computer devices and store backup copies of your most important data off-site at another location or with an online backup service to make sure it’s safe in the event of disaster. Keeping a current backup on a separate drive stored in a safe location is always a good idea also. Some store a backup copy of their information at home and a 2nd copy at a friend or family member’s place that swap out and keep up to date weekly or monthly.

Being aware of the most common types of data loss helps the user understand the importance of insuring their data is safe and the steps needed to prevent loss of important files. Data loss is an all too common occurrence but having proper backup copies and being prepared with good data recovery software can go a long way to minimizing the hardship and headaches that usually accompany data loss.